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Abstract 

In this paper, we show that the protocol complex of a Byzantine synchronous system can 
remain (fc — l)-connected for up to \t/k~\ rounds, where t is the maximum number of Byzantine 
processes, and t > k > 1. This topological property implies that \t/k ] + 1 rounds are necessary 
to solve k -set agreement in Byzantine synchronous systems, compared to [t/k\ + 1 rounds in 
synchronous crash-failure systems. We also show that our connectivity bound is tight as we 
indicate solutions to Byzantine fc-set agreement in exactly \t/k~\ + 1 synchronous rounds, at 
least when n is suitably large compared to t. In conclusion, we see how Byzantine failures can 
potentially require one extra round to solve fc-set agreement, and, for n suitably large compared 
to t , at most that. 


1 Introduction 

A task is a distributed coordination problem where multiple processes start with private inputs, 
communicate among themselves (by shared memory or message passing), and halt with outputs 
consistent with the task specification. There are crash-failure systems [T|, where processes can fail 
only by permanent, unannounced halting, or Byzantine-failure systems [18], where processes can 
fail arbitrarily, even maliciously. In synchronous systems, communication and computation are 
organized in discrete rounds. In each round, each non-faulty process performs as follows, in order: 
(i) sends a message; (ii) receives all messages sent in the current round by the other processes; and 
(iii) performs internal computation. In asynchronous systems, processes may have different relative 
speeds, and communication is subject to unbound, finite delays. 

The problem of consensus in the synchronous Byzantine message-passing model was among 
the earliest to be investigated, and upper and lower consensus bounds in that model are well- 
understood. In this paper, we turn our attention to overall computational power of this model, 
including bounds for problems such as A;-set agreement. We use concepts and techniques adapted 
from combinatorial topology. In essence, we can capture all possible information dissemination 
patterns permitted by this model in a single combinatorial structure called a simplicial complex (or 
just complex). A classical topological property of a simplicial complex is its level of connectivity , 
which is, roughly speaking, the dimension below which it has no holes. Many classical proofs 
of consensus impossibility can be reformulated as showing that certain complexes are 0-connected 
(also called path-connected) , and all known impossibility proofs for k-set agreement rely on showing 
that certain complexes are (k— l)-connected. Very informally, the higher the degree of connectivity 
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imposed by the adversary, the weaker the model’s computational power. Here, we present the first 
tight bounds on connectivity for the synchronous Byzantine message-passing model. 

Prior work using topological techniques is discussed in Sec. [2j Our operational setting is detailed 
in Sec. 01 and our topological model is formalized in Sec. [H 

Our first contribution comes in Sec.0 We show that, in a Byzantine synchronous system, the 
protocol complex can remain (k — l)-connected for \t/k~\ rounds, where t is an upper bound on the 
number of Byzantine processes. Perhaps surprisingly, this is only one more round than the upper 
bound for crash-failure systems {\t/k\, shown in [8]). Technically, we conceive a combinatorial 
operator modeling the ability of Byzantine processes to equivocate - that is, to transmit ambiguous 
state information - without revealing their Byzantine nature. We compose this operator with 
regular crash-failure operators, extending the protocol complex connectivity for one extra round. As 
noted, connectivity is of interest because a (k — l)-connected protocol complex prevents important 
problems such as k- set agreement BE! from having solutions. 

Our second contribution comes in Sec. [6l We show that the above connectivity bound is tight 
in certain settings (described in Sec. [6]), by solving £>set agreement in \t/k~\ + 1 rounds. We do so 
with a full-information protocol that assumes n suitably large compared to t. The protocol suits 
well our purpose of tightening the \t/k~\ bound, and also exposes clearly the reason why \t/k~\ + 1 
rounds is enough to solve £;-set agreement. 

These results give new insight into the power of Byzantine adversaries for problems beyond 
consensus. Although Byzantine adversaries seem much more powerful than crash-failure ones, we 
show that a Byzantine adversary can impose at most one additional synchronous round beyond that 
imposed by a crash-failure adversary. In terms of solvability vs. number of rounds, the penalty for 
moving from crash to Byzantine failures, captured by (k — l)-connectivity in the protocol complex, 
can be quite limited in synchronous systems, particularly when n is relatively large compared to t. 

2 Related Work 

The Byzantine failure model was initially introduced by Lamport, Shostak, and Pease (T8J. The 
use of simplicial complexes to model distributed computations was introduced by Herlihy and 
Shavit m • The asynchronous computability theorem for general tasks in m details the ap¬ 
proach for asynchronous wait-free computation in the crash-failure model. This model was recently 
generalized by Gafni, Kuznetsov, and Manolescu [10] . Computability in Byzantine asynchronous 
systems, where tasks are constrained in terms of non-faulty inputs, was recently considered in m- 

The k- set agreement problem was originally defined by Chaudhuri [7J. Alternative formula¬ 
tions with different validity notions, or failure/communication settings, are discussed in [22l ;9], A 
full characterization of optimal translations between different failure settings is given in PJ |23] . 
which requires different number of rounds depending on the relation between the number of faulty 
processes, and the number of participating processes. 

The relationship between connectivity and the impossibility of k- set agreement is described 
explicitly or implicitly in 0 US 12U . Recent work by Castaeda, Gonczarowski, and Moses [6] 
considers an issue of chains of hidden values, a concept loosely explored here. The approach based 
on shellability and layered executions for lower bounds in connectivity has been used by Herlihy, 
Rajsbaum, and Tuttle mEma, assuming crash-failure systems, synchronous or asynchronous. 
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3 Operational Model 

We have n+1 processed P = {Pq, ..., P n } communicating by message-passing via pairwise, reliable, 
FIFO channels ( authenticated channels in the literature [5]). Technically, all transmitted messages 
are delivered uniquely, in FIFO order, and with sender reliably identified. 

At most t processes are faulty or Byzantine [18], and may display arbitrary, even malicious 
behavior, at any point in the execution. The actual behavior of Byzantine processes is defined 
by an adversary. Byzantine processes may execute the protocol correctly or incorrectly, at the 
discretion of the adversary. Processes behaving in strict accordance to the protocol for rounds 1 
up to some r (inclusive) are called non-faulty processes up to round r, and are denoted by G r . A 
non-faulty process up to any round r > 1 is called simply non-faulty or correct, which we denote 
by G. 

We model processes as state machines. The input value (resp. output value) of a non-faulty 
process Pj is written (resp. Oi). Byzantine processes may have “apparent” inputs, denoted as 
above. Each non-faulty process Pj has an internal state called view, which we denote by view(Pj). 
In the beginning of the protocol, view(Pj) is /*. At any round r, any non-faulty process: (1) sends 
its internal state to all other processes; (2) receives the state information from other processes; 
(3) concatenates that information to its own internal state. After completing some number of 
iterations, each process applies a decision function 5 to its current state in order to decide Oi. 
Thus, we assume that processes follow a full-information protocol PI- 

For simplicity of notation, we define a round 0 where processes are simply assigned their inputs. 
Without losing generality, all processes are assumed non-faulty up to round 0: G° = P and B° = 0. 
For any round r > 0, a global state formally specifies: (1) the non-faulty processes up to round r; 
and (2) the view of all non-faulty processes up to round r. 

4 Topological Model 

We now sketch the required concepts from combinatorial topology. For details, please refer to 
Munkres m, Kozlov m, or Herlihy et al. [El- 

Basics. A simplicial complex /C consists of a finite set V along with a collection of subsets of 
V closed under containment. An element of V is called a vertex of /C. The set of vertices of K is 
referred by V(JC). Each set in /C is called a simplex, usually denoted by lower-case Greek letters: 
o,t, etc. The dimension dim(cr) of a simplex a is |er| — 1. 

A subset of a simplex is called a face. The collection of faces of o with dimension exactly x is 
called Faces x (<7). A face r of a is called proper if dim(r) = dim(cr) — 1. We use “^-simplex” as 
shorthand for “fc-dimensional simplex”, also in “k- face.” The dimension dim(/C) of a complex is 
the maximal dimension of its simplexes, and a facet of /C is any simplex having maximal dimension 
in 1C. A complex is said pure if all facets have dimension dim(/C). The set of simplexes of /C having 
dimension at most l is a subcomplex of 1C, which is called l-skeleton of 1C, denoted by skel f (/C). 

Maps. Let K. and C be complexes. A vertex map f carries vertices of 1C to vertices of C. If / 
additionally carries simplexes of /C to simplexes of C, it is called a simplicial map. A carrier map 
from 1C to C takes each simplex o G 1C to a subcomplex <h(<j) C C, such that for all a, r £ 1C, we 

1 Choosing n + 1 processes rather than n simplifies the topological notation, but slightly complicates the computing 
notation. Choosing n processes has the opposite trade-off. We choose n + 1 for compatibility with prior work. 
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have $(<7Hr) C 3>(<r) n3>(r). A simplicial map <f) : 1C —)• £ is carried by the carrier map : 1C —> 2 C 
if, for every simplex cr £ 1C, we have fi(a) C $(< 7 ). 

Although we dehned simplexes and complexes in a purely combinatorial way, they can also be 
interpreted geometrically. An n-simplex can be identified with the convex hull of (n + 1) affinely- 
independent points in the Euclidean space of appropriate dimension. This geometric realization 
can be extended to complexes. The point-set that underlies such geometric complex 1C is called the 
polyhedron of 1C, denoted by \1C\. For any simplex a, the boundary of cr, which we denote da, is 
the simplicial complex of (dim(cr) — l)-faces of a. The interior of a is defined as Int a = |cr| \ | d a\. 

We can define simplicial/carrier maps between geometrical complexes. Given a simplicial map 
cj) : 1C —> L (resp. carrier map : 1C —> 2' c ), the polyhedrons of every simplex in 1C and L induce a 
continuous simplicial map : |/C| —> \C\ (resp. continuous carrier map <f> c : |/C| —> \2 C \). We say 
(resp. 4> c ) is carried by <f> if, for any a £ 1C, we have |<^>(cr)| C |T>(cr)| (resp. fi c (\a\) C <f> c (|<7|)). 

Connectivity. In light of topology, two geometrical objects A and B are homeomorphic if, 
there is a continuous map from A into B or vice-versa. Technically, there exists a continuous 
map between those objects, in either direction [2H ED]. We say that a simplicial complex /C is 
x-connected , x > 0, if every continuous map of a subset of |/C| homeomorphic to an x-sphere in |/C| 
can be extended into a subset of |/C| homeomorphic to an (x + l)-disk in \JC\. In analogy, think of 
the extremes of a pencil as a 0-disk, and the pencil itself as a 1-sphere (the extension is possible if 
0-connected); the rim of a coin as a 1-sphere, and the coin itself as a 2-disk (the extension is possible 
if 1-connected); the outer layer of a billiard ball as a 2-sphere, and the billiard ball itself as a 3-disk 
(the extension is possible if 2-connected). For us, (—l)-connected is understood as non-empty, and 
(—2)-connected or lower imposes no restriction. 

Definition 4.1. Let § = {(Pi, Si) : Pi £ IP'}, where each Si is an arbitrary set and P' C P. A 
pseudosphere T(P',§) is a simplicial complex where a £ 'L(P',§) if a = {(Pi, Vi) : Pi £ P', V, £ Si}. 

Essentially, a pseudosphere is a simplicial complex formed by independently assigning values to 
all the specified processes. If Si = S for all Pi £ P', we simply write T(P', S). 

Definition 4.2. A pure, simplicial complex /C is shellable if we can arrange the facets of 1C in a linear 
order fio ... ,(f>t such that ^Uo<i<fc n fik is a pure (dim^) — l)-dimensional simplicial complex 
for all 0 < k < t. We call the above linear order fio,..., fit a shelling order. 

Intuitively, a simplicial complex is shellable if it can be built by gluing its x-simplexes along 
their (x — 1) faces only, where x is the dimension of the complex. Note that fio ,..., fit is a shelling 
order if any fii n (j)j (0 < i < j < t) is contained in a (dim(^)fc) — l)-face of fik (0 < k < j). Hence, 

for any i < j exists k < j where (fii fl fij) C (fi k fl fij) and \fij \ 4>k\ = 1- (1) 

Shellability and pseudospheres are important tools to characterize connectivity in simplicial com¬ 
plexes. The following lemmas are proved in ||T2j and pT] (pp. 252-253). 

Lemma 4.3. Any pseudosphere (/>(P',§) is shellable, considering arbitrary § = {(Pi, Si) : VP,; £ P'}. 

Lemma 4.4. For any k > 1, if the simplicial complex /C is shellable and dim(/C) > k then K. is 
(k — l)-connected. 

Nerve Theorem. Let L be a simplicial complex with a cover {/Cj : i £ 1} = 1C, where / is a 
finite index set. The nerve A /"({/C,: :*£/}) is the simplicial complex with vertexes / and simplexes 
J C / whenever ICj = f)j £ j ICj 0. We can characterize the connectivity of 1C in terms of the 
connectivity of the intuitively simpler nerve of 1C with the next theorem. 
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Theorem 4.5 (Nerve Theorem [ TTt |3|). If for any J C I denoting a simplex of A7({/Q : i G /}) 
(thus, ICj 0) we have that /Cj is (A; — | J| + l)-connected, then /C is ^-connected if and only if 
N({K,i : i G /}) is fe-connected. 

Protocol Complexes. We represent the evolution of the global state of the system throughout 
the rounds by simplicial complexes that we call protocol complexes. 

Definition 4.6. For r > 0, a name-view simplex a is such that: (i) a = {(Pi, view r (Pj)) : VPj G G r }, 
where view r (Pj) denotes Pi s view at round r; and (ii) if (Pi, view r (i-j)) and (Pj,view r (Pj)) are 
both in a, then P, Pj. 

Unless otherwise noted, all of our simplicial and carrier maps / are such that names(cr) = 
names(/(ff)), that is, they map between vertices associated with the same processes. 

Definition 4.7. For any name-view simplex a, define names(cr) = {Pi : 3V such that (Pj, U) G a} 
and views(cr) = {Vj : 3P such that (P, Vj) G a}. 

The round-0 protocol complex KP has name-view n-simplexes ay = {(Pj,Ij) : VPj G G 0 }, 
representing all the possible process inputs in the beginning of the protocol. The round-r protocol 
complex K7, for any r > 0, is defined as follows: if a G K7, then a = {(Pj, view r (Pj)) : VPj G G r }, 
representing a possible global state of the system for round r. 

5 Connectivity Upper Bound 

Informally, if the adversary displays Byzantine behavior early in the execution, then in a syn¬ 
chronous, full-information protocol, subsequent communication among the non-faulty processes can 
reveal the identities of the Byzantine processes, using simple techniques inspired from EJUGS]- 
Instead, it behooves the adversary to postpone malicious behavior to the very last round, where it 
cannot detected. 

Say that non-faulty processes start the computation with inputs in V = {no,..., Vd}, arbitrarily 
assigned, with some d> k and t > k > 1. To prove our upper bound, we show how the adversary can 
impose a particular admissible execution that preserves high connectivity in the protocol complex. 

Let r = \t/k\ and m = t mod k. We have r crash rounds, where in each round k processes 
fail by crashing, but display no Byzantine behavior. If m > 0, we have an extra equivocation 
round, where a single Byzantine process sends different views to different processes, causing extra 
confusion. This round-by-round execution produces a sequence of protocol complexes JC°,..., K7 +l , 
related by carrier maps C l : /C i_1 -G 2^*, for 1 < i < r, and £ : K7 —> 2^ r+1 . 

K? C 1 . 1C 1 ... C r , K r £ , K r+1 . (2) 

only if m > 0 

In each of the first r rounds, exactly k processes are failed by the adversary. The crash-failure 
carrier maps are defined as follows mm- 

Definition 5.1. For any 1 < i < r, the crash-failure operator C l : /C*” 1 —> 2 ^ is such that 

C l ( a ) = [J T(names(r); [r : o - ]) (3) 

reFaces n_l,s ((T) 

for any cr G A? -1 , with [r : a\ denoting the set of simplexes /r where r C /i C a. 
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Definition 5.2. A q-connected carrier map $ : /C —>• 2^ is a strict carrier map such that, for all 
it £ 1C, dim(<I>(<7)) > q — codirn^(cr) and <h(cr) is (q — codimx;((T))-connected. 

Definition 5.3. A q-shellable carrier map : /C —> 2 £ is a strict carrier map such that, for all a € /C, 
dim(<J>(cr)) > q — codim/c (er) and 3>(<r) is shellable. 

After r rounds, note that A 7 only contains simplexes with dimension exactly n — rk. In mm, 
the following lemmas are proved: 

Lemma 5.4. For 1 < i < r, the operator C l : AC* -1 —> 2 /c * is a (k — l)-shellable carrier map. 

Lemma 5.5. If are all g-shellable carrier maps, and M x+1 is a g-connected carrier 

map, the composition Ad 1 o ... A4 X o M x+l is a g-connected carrier map, for any x > 0. 

Equivocation and Interpretation. After the crash-failure rounds, if m > 0 the adversary 
picks one of the remaining processes to behave maliciously at round r + 1. This process, say 
Pb, may send different views to different processes (which is technically called equivocation ), but, 
informally speaking, all views are “plausible.” For example, two non-faulty processes Pi and Pj 
could be indecisive after round r on whether the global state is o\ or <72 in AC”, while Pb, a Byzantine 
process, sends a state corresponding to o\ to Pi, and a state corresponding to <72 to Pj. The faulty 
process Pb does not reveal its Byzantine nature, yet it promotes ambiguity in the state information 
diffusion. 

At the final round, when a non-faulty process receives the states sent from the other processes, 
it must decide correctly even if one other process equivocates. If the non-faulty process can receive 
simplexes a\ and (72, representing global states that differ in only one process’s contribution (that 
is, dim((7i flcj 2 ) = n—rk— 1), then the interpretation of a message containing one such state must be 
the same as a message containing the other. We capture this notion using the equivocation operator, 
called £, describing the behavior of a Byzantine process, coupled with an interpretation operator, 
called Interp, describing the required behavior of non-faulty processes. Informally, Interp(<7i) = 
Interp((72) for processes in names(r), where r = o\ FI <72 with dirn(r) = n — rk — 1. Formally: 

Definition 5.6. For any simplexes <71 and <72 in 1C, with dim(/C) = n — rk, let (Pi, Interp(oq)) = 
(Pi, Interp(( 72 )) if and only if a\ = (J 2 ', or P,; € names(r) where t = a 1 n<72 and dim(r) = n — rk — 1. 

Definition 5.7. For any pure simplicial complexes K. and C with dim(/C) < n — rk and /CAP, the 
/C-equivocation operator £/c is 

£tc(£) = 4'(names(r); {Interp(cr*) : a* € AC, a* A r})). (4) 

reFaces"' _7 ' fc_1 (£) 

Note that £jt(P) = 0 whenever dim(P) < n — rk — 1 or dim(/C) < n — rk, and also that 

£jc(cr) = 'k(names(r); Interp(cr)) (5) 

rGFaces "' -1 (cr) 

for any <7 € /C with dim(cr) = n — rk. For convenience of notation, define Pt(/C) = £(JC). 

Next, we investigate some technical properties of these constructions that allow us to prove that 
the final complex is (k — l)-connected. 

Lemma 5.8. For any pure, shellable simplicial complex with dim(/C) < n — rk, the /C-equivocation 
operator £/c is a carrier map. 
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Proof. Let r C a £ /C. We show that £k.(t) C £ic(cr). If dim(r) < n — rk — 1 then £k(t) = 0 and 
£/c(t) C £jc(ct) for any cr D r G K. Otherwise, if dim(r) = dim(cr) then t = a and £k.(t) = £jc(p)- 
as we assumed that <r D r G /C. The remaining case is when dim(r) = n—rk— 1 and dirn(cr) = n—rk, 
which makes £/c (r) C £^ (a) in light of Definition 15.71 □ 

Let (C r o£) be the composite map such that (C r o£)(a) = £cr (C r (a)). While, for an arbitrary 
complex /C, £/c is not a strict carrier map per se, we show in the following lemmas that ( C r o £) 
is a (k — l)-connected carrier map. Lemma 15.91 shows that ( C r o £) is a strict carrier map, and 
Lemma 15.101 shows that for any a £ XT’ -1 , ( C r o £)(a) is ((k — 1) — codim^,—i (er))-cormected. 

Lemma 5.9. (C r o £) is a strict carrier map. 

Proof. Consider cr, r G XT' -1 , with C = C r (a) and M = C r (r). Both C and M are pure, shellable 
simplicial complexes with dimension n — rk (Definition 15.11 and Lemma 15.41) . Therefore, both the 
^-equivocation and A4-equivocation operators are well-defined. Also, C r is a strict carrier map, 
hence C Fl M. = C r (a) Fl C r (r) = C r (a Fl r). Note that C n M. = C r (a D r), if not empty, is a pure, 
shellable simplicial complex with dimension n — rk. Therefore, the (C Fl A4)-equivocation operator 
is well-defined. 

First, we show that £(C) D £(M) C £(£ fl M), which implies one direction of our equality: 
£(C r (a)) n £{C r (r)) C £(C r (a) n C r (r)) = £(C r (a n r)). 

For clarity, let F(K) = Faces n ~ rk ~ 1 (K.). Then, 

£(£)n£(M) = J s c (ji) n \J £ M {y)= U n£ M ^)- 

fj,£F(C) v&F(M) V&F(C) 

v&F{M) 

For arbitrary fi £ F(£) and v £ F(M), if £c(f£) Fl £m( u ) / 0? consider two cases: 

1. p, and v are proper faces of 4> £ {C Fl M). In this case, 

£c(k) Fl £m{f) = T(names(/i) Fl names(z'); Interp(<^>)), 
which is inside £cnM{4>) Q £cr\M(£ Fl M). 

2. Otherwise, p, C f \ £ £ or u C 4>2 £ AT In this case, 

£c(k) Fl £m{f) = ^(names(/x) Fl names(zc); Interp( 7 i) Fl Interp( 02 ))- 

By Definition 15.61 the above is non-empty only when Interp(</>i) = Interp(a) with a £ £, 
Interp((/> 2 ) = Interp(/3) with (3 £ A4, and there exists a non-empty set P 7 such that P 7 C 
names (/i) Fl names(i') C names( 7 ), where 7 = a Fl f3 with dim( 7 ) = n — rk — 1. Let P 77 be a 
maximal P 7 satisfying such condition. Note that 7 G (£ Fl M), so (Cr I M) / 0 . 

Since (C Fl M) is non-empty, it is pure, shellable with dimension n — rk , there must exist a 
simplex 7 ' D 7 with dimension n — rk. Moreover, Interp^/) = Interp(a) = Interp( 7 i) and 
Interp( 7 / ) = Interp(/3) = Interp( 02 ) for processes in names( 7 ), given the definition of Interp. 
In conclusion, we have £c(k) Fl £m( u ) = 'L(P"; Interp( 7 / )) C T(names( 7 ); Interp( 7 7 )), which 
is inside (tO C £c.^m(£ F M). 
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In the other direction, we have £(LP\M.) — C £c(CC\M) C £c(C) = £(£), since 

(i) ^CoM^) U ££(<T) f° r an y X Q -CnAd (Definition 15,7j) : and (ii) £c is a carrier map (Lemma l5.8j) . 
The same argument proves that £{CC\M) C £(M), and therefore £(£ Pi M) C £(£) C\£{M). □ 

Lemma 5.10. For any a £ /C r_1 , £(C r (a)) is ((k — 1) — codim^r— i(<r) (-connected. 

Proof. Consider a £ K7~ l with codim^r—i (cr) < k. By Lemma 15.41 M = C r (a) is a pure, shellable 
simplicial complex with dim(.M) = n — rk = d. By Definition 15.71 £(Xi) is well-defined and 
dim(£(.M)) = n — rk — 1 = d'. Note that d! > n — t > 2t > 2k, since n + 1 > 3t and t > k. 

First, we show that £(M) is “highly-connected” - that is, (2 k — l)-connected. We proceed by 
induction on po ... pi, a shelling order of facets of M.. 

Base. We show that £m{^ o) is (2A; — l)-connected. Considering Definition 15.71 we have that 
£m(im>) = ( T o) U ... U £m{ t <i ), with tq ... T ( i being all the proper faces of p$. 

Consider the cover {£m( t i) : 0 < i < d} of (/■*()), and its associated nerve M ({£m( t i) : 0 < 
i < d}). For any index set J C I = {0... d}, let 

ICj = Pi £m(tj) = T(P names(rj);Interp(// 0 )) 
jeJ jeJ 

For any J with |J| < d, we have Cj G j names (rj) / 0, making 1C j a non-empty pseudosphere 
with dimension d' — | J| + l > 2k—\J\ + l. So, ICj is ((2k— 1) — | J| + l)-connected by Lemmas 14.31 
and l4~4l The nerve is hence the (d — l)-skeleton of /, which is (d — 2) = (d' — 1) > (2k — 1(- 
connected. By the Nerve Theorem, £m(pq) is also (2k — l)-connected. 

IH. Assume that y = Uo Kycx^M^y) is (2A — 1) connected, and let X = £m(Px)- We must show 
that y U X = Uo< y < x £(fly) is (2k — l)-connected. Note that X is (2k — l)-connected by an 
argument identical to the one above for the base case £m(//o)- Besides, 


T n A’=| |J £m(^v) I ^£m(^x) = IJ (ZmOlj) £'£m(Px)) = 1J 

\0<y<x J 0 <y<x i£S 

where i £ S is such that (Uo< y<x p y ) n p x = U i^sP- The set S is well-defined since A4 is 
shellable. The step (*) holds because: (i) y n X must include at least U/eS ^M( T i)\ and (ii) 
£m(Pv) n £m(Px) ~f~ 0 only ii if = T(names (p y n p x ); Interp(/i x )) exists, the latter inside 
if' = T (names(Tj); Interp(/i x )) for some j £ S , or we contradict the fact that Jv[ is shellable. 

Using an argument identical to the one for £m(h o)> yet considering the cover {£M( r i) '■ * G -S'}, 
the nerve of X n y is either the (d — l)-skeleton of S’ (if S = {0... d}) or the whole simplex 
S (otherwise). By the Nerve Theorem, U ies^M( T i) is (2& — l)-connected. 

Once again, using the Nerve Theorem, since y is (2k — l)-connected, X is (2k — l)-connected, 
and y 0 X is (2k — 1 (-connected, we have that y U X is (2k — l)-connected. 

While the equivocation operator yields high connectivity (2k — 1) in the pseudosphere C r (a), the 
composition of C r and £c r ( a ) (C- r ( a )) limits the connectivity to (A: — 1), since the former map is only 
defined for simplexes with codimension < k. Formally, as C r (a) 0 for any simplex a £ /C r_1 with 
codim^r-i (ct) < k, we have that £(C r (a)) is ((k — 1) — codim^r-i (cr) (-connected. □ 


From Lemmas 15.91 and 15.101 we conclude the following. 

Corollary 5.11. ( C r o £) is a (k — l)-connected carrier map. 

Theorem 5.12. An adversary can keep the protocol complex of a Byzantine synchronous system 
(k — l)-connected for \t/k~\ rounds. 

Proof. If m = 0, t mod k = 0, and the adversary runs only the crash rounds failing k processes 
each time, for r = \t/k\ = \t/k~\ consecutive rounds. We have the following scenario: 

(C 1 o...oC r )(«r). 

Since C l : /C*^ 1 —> 2f' is a (A; — l)-shellable carrier map for 1 < i < r (Lemma 15.411 . the composition 
(C 1 o ... o C r ) is a (k ~ l)-connected carrier map for any facet a £ T ( Lemma 15.51) . 

If m > 0, the adversary performs r crash rounds (failing k processes each time), followed by the 
extra equivocation round. We have the following scenario: 

(C 1 o...oC r - 1 o(C r o£))(<7). (6) 

Since C* : K? _1 — > A? is a (k — l)-shellable carrier map for 1 < i < r — 1 (Lemma 15.41) . and 
(C r o £) is a (k — l)-connected carrier map (Corollary 15.11(1 . we have that the composition above 
(C 1 o ... o C r ~ 1 o (C r o £)) is a (k — l)-connected carrier map for any facet a £ T (Lemma 15.51) . □ 

6 A:-Set Agreement and Lower Bound 

The fc-set agreement problem and connectivity are closely related. Lemma 16.11 proved in Ap¬ 
pendix [Aj shows that no solution is possible for fc-set agreement with a (k — l)-connected protocol 
complex, which, as seen in Sec. [5l can occur at least until round \t/k~\. 

Lemma 6.1. If, starting a € I, the protocol complex V(a) is (k — l)-connected, then no decision 
function 5 solves the fc-set agreement problem. 

We now present a simple fc-set agreement algorithm for Byzantine synchronous systems, running 
in \t/k~\ +1 rounds. The procedure requires a relatively large number of processes compared to 
t: we assume n + 1 > k(3t + 1). The procedure was designed with the purpose of tightening the 
connectivity lower bound, favoring simplicity over the optimality on the number of processes. 

Non-faulty processes initially execute a gossip phase for \t/k~\ + 1 rounds, followed by a validation 
phase , and a decision phase , where the output is chosen. Define R = \t/k~\, and consider the 
following tree, where nodes are labeled with words over the alphabet P. The root node is labeled 
as A, which represents an empty string. Each node w such that 0 < |u;| < R has n + 1 child nodes 
labeled wp for all p € P. Any non-faulty process Pi maintains such tree, denoted T). 

All nodes w are associated with the value Cont p (w), called the contents of w. The special value 
_L represents an absent input. We omit the subscript p when the process is implied or arbitrary. 
We divide the processes into k disjoint groups: P (g) = {P x £ P : x = g mod k}, for 0 < g < k. For 
any tree T, we call T(g) the subtree of T having only nodes wp £ T such that p £ P(g). 

In the validation phase, if we have a set Q containing (n + 1) — t processes that acknowledge 
all messages transmitted by process p (making sure that p £ Q), at every round 1 < r < R, we call 
such set the quorum of p, denoted Quorum(p). Formally, Quorum(p) = Q C P such that p £ Q, 
|Q| > (n + 1) — t, and q £ Q whenever Cont(tcp) = v implies Cont (wpq) = v, for any wp with 
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Algorithm 1 P x .Agree(I) 

1: if k = 1 then 

2: return Decision(Multiset(Cont (p) : p output by consensus algorithm)) 

3: Cont(ie) _L for all w G T 

4: Cont(A) -G- / > Gossip 

5: for £ : 1 to |~t/£f| + 1 do 

6: send(5^ _1 = {(w, Cont(w)) : \w\ = £ — 1}) 

7: upon recv(5^ _1 = {(u;, v) : |uj = £ — 1, v G V U {-L}}) from P y do 

8: Cont {wP y ) «— v for all (w,v) G S^ _1 

9: 

10: P' G- {Pj : Pi has a quorum} > Validation 

11: if |P'| = (n + 1) — t then 

12: Apply completion rule for all wb where b G P \ P' and \wb\ = \t/k~\ 

13: g <— any g such that T(g) is pivotal > Decision 

14: for £ : \t/k~\ — 1 to 1 do 

15: Apply consensus rule for all non-validated wb where b G P(g) and \wb\ = £ 

16: return De cision(Multiset(Cont (p) : p G T(g))) 


0 < \wp\ < R. It should be clear that every non-faulty process has a quorum containing at least 
all other non-faulty processes. If a process p has a quorum as seen by process Pi G G, we say that 
wp has been validated on Pj, for any wp with 0 < \wp\ < R (and that p has been validated on Pi). 
Note that in our definition either all entries wp for p G P are validated, or none is. Lemma 16.21 
proven in Appendix [Bl shows that validated entries are unique across non-faulty processes. 

Lemma 6.2. lip has been validated on non-faulty processes Pj and Pj, then Cont i(wp) = Cont j(wp) 
for any 0 < |u;| < R. 

In the decision phase, if we see t processes without a quorum, we have technically identified all 
non-faulty processes B. In this case, we fill P-th round values of any b G B using the completion 
rule: we make Cont (wb) = v if we have (n + 1) — 2 1 processes G / C G where Cont iwbg) = v for any 
g G G' and |u;&| = R. If a process b has its P-round values completed as above in process Pj G G, 
we say that wb has been completed on Pi for any \wb\ = P. Lemma 16.31 proven in Appendix iBl 
shows that completed entries are identical and consistent with validated entries across non-faulty 
processes. (Intuitively, the completion rule was done over identical values from correct processes.) 

Lemma 6.3. If wp has been completed or validated on a non-faulty process Pi, and wp has been 
completed on a non-faulty process Pj , then Contj (wp) = Cont j (wp). 

We have two possible cases: (i) there is a subtree T(g) with less than \t/k~\ non-validated 
processes - call such subtree pivotal ; or (ii) no such tree exists, in which case we apply the completion 
rule to P-round values in T(0), and define T(0) as our pivotal subtree instead. A pivotal subtree, 
therefore, must exist according to the definition above. 

Denote the set of processes in the word w as SetProc(u;). For any non-validated wb with 
b G P (g) in a pivotal subtree T(g), where 1 < \wb\ < R, we establish consensus on Cont (wb). We 
apply the consensus rule: Cont(u;6) = v if the majority of processes in P (g) \ SetProc(u;&) is such 
that wbp = v. This rule is applied first to entries labeled wb where \wb\ = R — 1, and then moving 
upwards (please refer to Alg. [lj). Our algorithm is essentially separating the possible chains of 
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unknown values across disjoint process groups, which either forces one of these chains to be smaller 
than R = \t/k~\, or reveals all faulty processes, giving us the ability to perform the completion 
rule. This fundamental tradeoff underlies our algorithm, and ultimately explains why the \t/k~\ 
connectivity bound is tight. Lemma 16.41 proven in Appendix [Bl shows that the consensus rule 
indeed establishes consensus across non-faulty processes that identify T(g ) as the pivotal subtree. 

Lemma 6.4. For any two-non-faulty processes Pi and Pj that applied the consensus rule on a pivotal 
subtree T(g), with 0 < g < k, we have that Contj(p) = Contj(p) for any p E P(g). 

Theorem 6.5. Algorithm Q] solves k- set agreement in \t/k~\ + 1 rounds. 

Proof. Termination is trivial, as we execute exactly R = \t/k\ + 1 rounds. By Lemma 16.41 each 
pivotal subtree yields a unique decision value. As we have at most k pivotal subtrees identified 
across non-faulty processes, up to k values are possibly decided across non-faulty processes. □ 

7 Conclusion 

In Byzantine synchronous systems, the protocol complex can remain ( k — l)-connected for \t/k~\ 
rounds, potentially one more round than in crash-failure systems. We conceive a combinatorial 
operator modeling the ability of Byzantine processes to equivocate without revealing their Byzantine 
nature, just after [t/k\ rounds of crash failures. We compose this operator with the regular crash- 
failure operators, extending (k — l)-connectivity up to \t/k~\ rounds. We tighten this bound, at least 
when n is relatively large compared to t, via a full-information protocol that solves a formulation 
of k- set agreement. 

It may be surprising that Byzantine failures impose only one additional synchronous round 
over the crash-failure model, and at most that in our standard setting, where inputs are arbitrarily 
attributed to processes, and the number of processes is strictly bigger than k(3t + 1). In terms of 
solvability vs. number of rounds, the penalty for moving from crash to Byzantine failures can thus 
be quite limited. Previous work has hinted this possibility operationally, since (i) in synchronous 
systems where n is large enough compared to t, we can simulate crash failures on Byzantine systems 
with a 1-round delay [2]; and (ii) techniques similar to the reliable broadcast of mm deal with 
the problem of Byzantine equivocation, also with a 1-round delay. This extra round is crucial - 
but enough - to limit the impact of Byzantine behavior in rather usual operational settings. 
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A Appendix: Proofs for the Connectivity Arguments 

Proof of Lemma 16.11 


Proof. Consider a /c-simplex a = {uq, ... ,Uk} C {vo,...,Vd} with k + 1 different inputs. Let 
Ip = (IP, /3) for any (3 C a, and I x = U/3g s kei x (a) We construct a sequence of continuous 

maps g x : |skel x (a)| —>• \TC X \ where IC X is homeomorphic to skel x (a) in \ske\ x {V(I x ))\. 

Base. Let go map any vertex v £ a to a vertex in K, v = V(I{ v y). We know that tC v is 
fc-connected since dim(Z{„i) = dirn(I) and V is a ^-connected carrier map. We just constructed 

go : |skel°(a)| ->• \JC 0 \, 

where /C° is isomorphic to a skel°(a) in | skel°('P(Io))|- 

Induction Hypothesis. Assume g x -i ■ | skel x_1 (a)| —> for any x < k, where tC x -\ is 

isomorphic to skel x_1 (a) in | skel x_1 ('P(X x _i))|. For any /3 £ skeP(a), we have that skel x (V(Ip)) 
is {x — l)-connected, hence the continuous image of the (x — l)-sphere in V{Ip) can be extended 
to the continuous image of the x-disk in skel x (V(Ip)). We just constructed 

g x : | skel x (a)| ->• \/C x \, 

where JC X is isomorphic to skel x (a) in | skel x ('P(Xo))|. In the end, we have gj~ : |a| —>• \/Ci~\ where Kk 
is isomorphic to a in skel k (V(Ik))- 

Now suppose, for the sake of contradiction, that k- set agreement is solvable, so there must be a 
simplicial map <5 : V(I) —> O carried by A. Then, induce the continuous map 5 C : \ICk\ —> |a| from 
5 such that 5 c (v) £ \ views(5(/x))| if v G \g\, for any g £ 1Ck- Also, note that the composition of gk 
with the continuous map 5 C induces another continuous map |a| |da|, since by assumption 5 

never maps a fc-simplex of ICk to a simplex with k + 1 different views (so 5 C never maps a point to 
| Int a|). We built a continuous retraction of a to its own border da, a contradiction (please refer 
to pa DU). Since our assumption was that there existed a simplicial map 5 : V(I) —>• O carried by 
A, we conclude that fc-set agreement is not solvable. □ 

B Appendix: Proofs for the A:-Set Agreement Procedure 

Proof of Lemma 16.21 

Proof. If p has been validated on Pi £ G, then Cont i(wp) = v implies Cont %{wpq) = v for (n +1) — t 
different processes q £ Qi, and Cont j(wp) = v implies Cont j[wpq) = v for (n + 1) — t different 
processes q £ Qj, for any 0 < |tc| < R. As we have at most t non-faulty processes and n + 1 > 3f, 
|Qi C Qj > (n + 1) — 2t > t + 1, containing at least one non-faulty process that, by definition, 
broadcasts values consistently in its run. Hence, Cont i(wp) and Cont j(wp) must be identical. □ 

Proof of Lemma 16.31 

Proof. If wp has been validated on Pi, Cont,; (wp) = v implies Cont i(wpq) = v for (n+1) — t different 
processes q £ Q. When Pj applies the completion rule on wp, then Cont j(wpq) = v for (n + 1) — 2 1 
different processes q £ G, as we have at most t faulty processes. Therefore, Contj (wp) = Cont j(wp). 

If wp has been completed on all non-faulty processes, they all have identified t faulty processes, 
and the completion rule is performed over identical entries associated with non-faulty processes. 
Therefore, Cont, (wp) = Contj (wp) as well. □ 
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Proof of Lemma 16.41 


Proof. Consider a non-faulty process P % establishing the value of Cont ? ;(ic/r) with the consensus 
rule. Dehne SetCons(tcp) = P(c/) \ SetProc(uip) for any wp G T(g) with \wp\ < R, noting that 
|SetCons(u;p)| > 2t + 2 as |P(g)| > 3t + 1 and \wp\ < t. 

Consider two cases: (i) if wp has been validated at a non-faulty process Pj with Cont j(wp) = v, 
at most t values from Si = Multiset (Cont* (wpq) : q G SetCons(u;p)) will be different than v. 
Hence, there will always be a majority of values in Si that will contain v, because |£>j| > 2f+ 2. (ii) 
otherwise, if wp has not been validated at any non-faulty process, all Cont(iop) values are being 
calculated over consistent values, by Lemma 16.31 which makes all non-faulty processes establish 
Cont (wp) consistently with the consensus rule. □ 
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